Client Certificate Authentication issues

book

Article ID: 170311

calendar_today

Updated On:

Products

Issue/Introduction

A Client needs to authenticate to a website using a unique client certificate provided by said website.

Resolution

If unique client certificates are required to authenticate to the OCS, then a tunnel must be created through the ProxySG appliance to allow the Client certificate to make it to the OCS(destination) as the proxy does not forward Client Certificate information before SGOS 6.3.x

In SGOS 6.3.x, the HTTPS service can be configured to forward the information about the Client Certificate to the OCS, but in some cases, tunneling the request so that the ProxySG appliance does not intercept it may still be required for functionality.

This tunnel can be created using the policy code below, changing out "website.com" for the website being accessed.

This will create a tunnel for all traffic going to that domain, so the ProxySG appliance does not interact with it, thereby allowing the Client Certificate to be processed.

 

<proxy>

url.domain=website.com detect_protocol.ssl(no)

As an alternative to this policy, we can make a global rule which will disable SSL interception whenever the client certificate request is made by the server.  As this is a global policy, the above option may be preferred

<SSL-Intercept>
; If the server requests a client certificate, tunnel the SSL traffic via SSL proxy
  client.certificate.requested=yes ssl.forward_proxy(no)
; Otherwise, intercept SSL traffic using HTTPS forward proxy.
  ssl.forward_proxy(https)

; Exclude the bottom rule if you have a rule to bypass SSL interception in VPM.

Policy Terminology

client.certificate.requested=
Tests whether or not the server has requested SSL client certificate authentication.

When the SSL proxy establishes a connection with the server and the server requests an SSL client certificate, this condition is set to yes; else, it is set to no. This condition is NULL for transactions that do not involve an SSL connection to the client.

When the ProxySG evaluates this condition, it uses a list of requesting servers (a Client Certificate Requested list) to determine if a client certificate was requested during both an initial handshake and renegotiation. As long as this condition exists in policy, the ProxySG can automatically detect servers that request a client certificate during renegotiation and maintain the Client Certificate Requested list.